To: users, dev, announce Subject: ANNOUNCE: Apache SpamAssassin 3.2.1 available Apache SpamAssassin 3.2.1 is now available! This is a maintenance and security release of the 3.2.x branch. It is highly recommended that people upgrade to this version from 3.2.0. Downloads are available from: http://spamassassin.apache.org/downloads.cgi?update=200706081100 The release file will also be available via CPAN in the near future. md5sum of archive files: 7b2fdbcdca5e9a181d4bb1b17663c138 Mail-SpamAssassin-3.2.1.tar.bz2 a7d51294c565999da01f212e5ad2a031 Mail-SpamAssassin-3.2.1.tar.gz e058ed0dfe82ee62f617c12cc02e538b Mail-SpamAssassin-3.2.1.zip sha1sum of archive files: 3095b38d90d0362c4e47e117fb612778a2ac362b Mail-SpamAssassin-3.2.1.tar.bz2 fbb5f538238e188f985c8e6672dad531fa035eea Mail-SpamAssassin-3.2.1.tar.gz d6566975544cd706052d310481d7a100ffce14d1 Mail-SpamAssassin-3.2.1.zip The release files also have a .asc accompanying them. The file serves as an external GPG signature for the given release file. The signing key is available via the wwwkeys.pgp.net key server, as well as http://spamassassin.apache.org/released/GPG-SIGNING-KEY The key information is: pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F A05B 3.2.1 is a major bug-fix release, including a potential local DoS. The major highlights are: - bug 5480: fix for CVE-2007-2873: a local user symlink-attack DoS vulnerability. It only affects systems where spamd is run as root, is used with vpopmail or virtual users via the "-v"/"--vpopmail" OR "--virtual-config-dir" switch, AND with the "-x"/"--no-user-config AND WITHOUT the "-u"/"--username" switch AND with the "-l"/"--allow-tell" switch. This is not default on any distro package, and is not a common configuration. More details of the vulnerability can be read at . - bug 5488: zero some rules causing false positives: FH_HOST_EQ_D_D_D_DB and FH_HOST_EQ_D_D_D_D. - bug 5257: re-raise autolearn ham threshold to 1.0; the lower value used in 3.2.0 was creating problems. - bug 5422: in spamd, deleting hash entries from the SIGCHLD signal handler is unsafe, causes corruption of the data structure, and results in 'prefork: ordered child N to accept, but they reported state '1', killing rogue' errors. fix. - bug 5102: tighten up regexp for FORGED_HOTMAIL_RCVD to avoid some FPs. - bug 5457: spamc build and test should handle not having zlib available. - bug 5379: spamd could crash at startup if its preloading temporary directory already exists. fix. - bug 4616: spamc config can cause command line options to be ignored. fix. - bug 5485: zero score DK/DKIM_POLICY_SIGNSOME rules since they'll always fire due to defaults (unless there's an explicit SIGNALL policy). - bug 5492: VBounce rule was looking in header instead of body for whitelisted relays. fix. - bug 5487: prevent multiple "urirhssub"s using the same zone from overwriting each other. - bug 5432 - Change default in Win32 build to not build spamc. - bug 5446: add --updatedir option to sa-compile and remove inaccurate re2c required version info from pod. - bug 5436: add omitted "ifplugin" statements to the configuration, which would otherwise cause lint errors if the default plugins were disabled. - bug 5477: prevent Rule2XSBody info message from appearing on stderr during spamd startup.